[OpenAFS] Future of AFS? Interesting Ideas!?

Patrick J. LoPresti patl@curl.com
05 Jan 2003 15:01:16 -0500

(This reply is late and almost entirely off-topic, but I am bored this
afternoon.  I apologize in advance.)

Derrick J Brashear <shadow@dementia.org> writes:

> Agree. We ran krb5 and kaserver in a loosely synchronized manner at
> CMU for a while, it was unpleasant. The tradeoff is now we have
> fixed-master replication. Sigh.

I was 1/4 serious when I suggested contributing Ubik code to OpenLDAP.
An Ubik-based krb5 server would be pretty cool, too.  I wonder if the
maintainers would even be interested, though.

Ken Hornstein wrote:

> Kerberos 5 seems be doing reasonably well in that regard ... I can use
> it for SSO under Windows, Mac OS X, and most flavors of Unix.

Let's see, my users have separate passwords for our Intranet site,
Lotus Notes server, Windows domain, Unix systems, and VPN gateway.

For HTTP authentication, Kerberos is not an option (AFAIK); X.509
certificates seem to be the standard approach.  I suppose the Web
server itself could accept cleartext passwords and authenticate
against a Kerberos realm, but does that really count as "single sign

Lotus Notes, of course, is completely proprietary; no Kerberos there.
You might suggest we should change mail servers, but would Exchange
really be any better? :-) OK, we could use a generic Kerberized IMAP
server, but not all mail clients support Kerberos.  In fact, going by
installed base, most clients do not.  (Microsoft Outlook is the
most-requested mail client among my users.)  I see no good solution
here, although certificate-based SSL authentication might be possible.

Windows and Unix logins: Check.

As for the VPN gateway, I know of no Kerberos-based solution.  Here
again, public-key certificates appear to be the emerging
non-proprietary mechanism of choice.

So, I would say Kerberos could solve just about half of my
authentication problems.  Hence my lament that it is 2003 and there is
still no decent SSO solution.  I do not blame anybody in particular; I
am just frustrated.

Derrick also wrote:

> Do you think Kerberos is not (part of) said solution? Do you feel
> LDAP is?  I'm mostly just curious.

LDAP is an overengineered monstrosity.  But it appears to be the only
game in town (except for Active Directory, of course).  So yeah, I
suppose I consider it part of the solution.  I wish there were a
decent free implementation.

Kerberos, on the other hand, I am not so sure about.  Web-based
services are a very important class of application, and it is quite
possible that they will be the only important class in the long run.
So perhaps the fully standardized "Global Public Key Infrastructure"
is the real solution.  Too bad it's a myth...

I do wish the open-standards world would make up its damn mind before
Microsoft makes it up for us.

Finally, Ken wrote:

> And IMHO, OpenAFS is the sort of thing that should make use of a
> existing single sign-on infrastructure, rather than providing one
> itself.

I agree completely; in fact, this was kind of my original point :-).

 - Pat